dissect.target 3.18.dev16__py3-none-any.whl → 3.19__py3-none-any.whl

dissect/target/plugins/os/unix/linux/_os.py

@@ -1,5 +1,6 @@
+from __future__ import annotations
+
 import logging
-from typing import Optional
 
 from dissect.target.filesystem import Filesystem
 from dissect.target.helpers.network_managers import (
@@ -8,6 +9,8 @@ from dissect.target.helpers.network_managers import (
 )
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix._os import UnixPlugin
+from dissect.target.plugins.os.unix.bsd.osx._os import MacPlugin
+from dissect.target.plugins.os.windows._os import WindowsPlugin
 from dissect.target.target import Target
 
 log = logging.getLogger(__name__)
@@ -20,17 +23,13 @@ class LinuxPlugin(UnixPlugin, LinuxNetworkManager):
         self.network_manager.discover()
 
     @classmethod
-    def detect(cls, target: Target) -> Optional[Filesystem]:
+    def detect(cls, target: Target) -> Filesystem | None:
         for fs in target.filesystems:
             if (
-                fs.exists("/var")
-                and fs.exists("/etc")
-                and fs.exists("/opt")
-                or (fs.exists("/sys") or fs.exists("/proc"))
-                and not fs.exists("/Library")
-            ):
+                (fs.exists("/var") and fs.exists("/etc") and fs.exists("/opt"))
+                or (fs.exists("/sys/module") or fs.exists("/proc/sys"))
+            ) and not (MacPlugin.detect(target) or WindowsPlugin.detect(target)):
                 return fs
-        return None
 
     @export(property=True)
     def ips(self) -> list[str]:
@@ -41,7 +40,7 @@ class LinuxPlugin(UnixPlugin, LinuxNetworkManager):
             for ip in ip_set:
                 ips.append(ip)
 
-        for ip in parse_unix_dhcp_log_messages(self.target):
+        for ip in parse_unix_dhcp_log_messages(self.target, iter_all=False):
             if ip not in ips:
                 ips.append(ip)
 
@@ -68,7 +67,7 @@ class LinuxPlugin(UnixPlugin, LinuxNetworkManager):
         return self.network_manager.get_config_value("netmask")
 
     @export(property=True)
-    def version(self) -> str:
+    def version(self) -> str | None:
         distrib_description = self._os_release.get("DISTRIB_DESCRIPTION", "")
         name = self._os_release.get("NAME", "") or self._os_release.get("DISTRIB_ID", "")
         version = (
@@ -77,11 +76,13 @@ class LinuxPlugin(UnixPlugin, LinuxNetworkManager):
             or self._os_release.get("DISTRIB_RELEASE", "")
         )
 
+        if not any([name, version, distrib_description]):
+            return None
+
         if len(f"{name} {version}") > len(distrib_description):
-            return f"{name} {version}"
+            distrib_description = f"{name} {version}"
 
-        else:
-            return distrib_description
+        return distrib_description or None
 
     @export(property=True)
     def os(self) -> str:

dissect/target/plugins/os/unix/linux/android/_os.py

@@ -1,33 +1,23 @@
 from __future__ import annotations
 
-from typing import Iterator, Optional, TextIO
+from typing import Iterator, Optional
 
 from dissect.target.filesystem import Filesystem
-from dissect.target.helpers.record import UnixUserRecord
+from dissect.target.helpers import configutil
+from dissect.target.helpers.record import EmptyRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
 from dissect.target.target import Target
 
 
-class BuildProp:
-    def __init__(self, fh: TextIO):
-        self.props = {}
-
-        for line in fh:
-            line = line.strip()
-
-            if not line or line.startswith("#"):
-                continue
-
-            k, v = line.split("=")
-            self.props[k] = v
-
-
 class AndroidPlugin(LinuxPlugin):
     def __init__(self, target: Target):
         super().__init__(target)
         self.target = target
-        self.props = BuildProp(self.target.fs.path("/build.prop").open("rt"))
+
+        self.props = {}
+        if (build_prop := self.target.fs.path("/build.prop")).exists():
+            self.props = configutil.parse(build_prop, separator=("=",), comment_prefixes=("#",)).parsed_data
 
     @classmethod
     def detect(cls, target: Target) -> Optional[Filesystem]:
@@ -42,8 +32,8 @@ class AndroidPlugin(LinuxPlugin):
         return cls(target)
 
     @export(property=True)
-    def hostname(self) -> str:
-        return self.props.props["ro.build.host"]
+    def hostname(self) -> Optional[str]:
+        return self.props.get("ro.build.host")
 
     @export(property=True)
     def ips(self) -> list[str]:
@@ -53,11 +43,11 @@ class AndroidPlugin(LinuxPlugin):
     def version(self) -> str:
         full_version = "Android"
 
-        release_version = self.props.props.get("ro.build.version.release")
-        if release_version := self.props.props.get("ro.build.version.release"):
+        release_version = self.props.get("ro.build.version.release")
+        if release_version := self.props.get("ro.build.version.release"):
             full_version += f" {release_version}"
 
-        if security_patch_version := self.props.props.get("ro.build.version.security_patch"):
+        if security_patch_version := self.props.get("ro.build.version.security_patch"):
             full_version += f" ({security_patch_version})"
 
         return full_version
@@ -66,5 +56,6 @@ class AndroidPlugin(LinuxPlugin):
     def os(self) -> str:
         return OperatingSystem.ANDROID.value
 
-    def users(self) -> Iterator[UnixUserRecord]:
-        raise NotImplementedError()
+    @export(record=EmptyRecord)
+    def users(self) -> Iterator[EmptyRecord]:
+        yield from ()

dissect/target/plugins/os/unix/linux/redhat/_os.py

@@ -5,7 +5,7 @@ from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
 from dissect.target.target import Target
 
 
-class RedHat(LinuxPlugin):
+class RedHatPlugin(LinuxPlugin):
     def __init__(self, target: Target):
         super().__init__(target)
 

dissect/target/plugins/os/unix/locale.py

@@ -1,4 +1,7 @@
+from __future__ import annotations
+
 from pathlib import Path
+from typing import Iterator
 
 from dissect.target.helpers.localeutil import normalize_language
 from dissect.target.helpers.record import TargetRecordDescriptor
@@ -30,7 +33,7 @@ class LocalePlugin(Plugin):
         pass
 
     @export(property=True)
-    def timezone(self):
+    def timezone(self) -> str | None:
         """Get the timezone of the system."""
 
         # /etc/timezone should contain a simple timezone string
@@ -58,15 +61,23 @@ class LocalePlugin(Plugin):
             size = p_localtime.stat().st_size
             sha1 = p_localtime.get().sha1()
             for path in self.target.fs.path("/usr/share/zoneinfo").rglob("*"):
+                # Ignore posix files in zoneinfo directory (RHEL).
+                if path.name.startswith("posix"):
+                    continue
+
                 if path.is_file() and path.stat().st_size == size and path.get().sha1() == sha1:
                     return timezone_from_path(path)
 
     @export(property=True)
-    def language(self):
+    def language(self) -> list[str]:
         """Get the configured locale(s) of the system."""
-        # Although this purports to be a generic function for Unix targets,
-        # these paths are Linux specific.
-        locale_paths = ["/etc/default/locale", "/etc/locale.conf"]
+
+        # Although this purports to be a generic function for Unix targets, these paths are Linux specific.
+        locale_paths = [
+            "/etc/default/locale",
+            "/etc/locale.conf",
+            "/etc/sysconfig/i18n",
+        ]
 
         found_languages = []
 
@@ -79,7 +90,7 @@ class LocalePlugin(Plugin):
         return found_languages
 
     @export(record=UnixKeyboardRecord)
-    def keyboard(self):
+    def keyboard(self) -> Iterator[UnixKeyboardRecord]:
         """Get the keyboard layout(s) of the system."""
 
         paths = ["/etc/default/keyboard", "/etc/vconsole.conf"] + list(

dissect/target/plugins/os/unix/shadow.py

@@ -29,39 +29,55 @@ class ShadowPlugin(Plugin):
         if not self.target.fs.path("/etc/shadow").exists():
             raise UnsupportedPluginError("No shadow file found")
 
+    SHADOW_FILES = ["/etc/shadow", "/etc/shadow-"]
+
     @export(record=UnixShadowRecord)
     def passwords(self) -> Iterator[UnixShadowRecord]:
-        """Recover shadow records from /etc/shadow files."""
-
-        if (path := self.target.fs.path("/etc/shadow")).exists():
-            for line in path.open("rt"):
-                line = line.strip()
-                if line == "" or line.startswith("#"):
-                    continue
-
-                shent = dict(enumerate(line.split(":")))
-                crypt = extract_crypt_details(shent)
-
-                # do not return a shadow record if we have no hash
-                if crypt.get("hash") is None or crypt.get("hash") == "":
-                    continue
-
-                yield UnixShadowRecord(
-                    name=shent.get(0),
-                    crypt=shent.get(1),
-                    algorithm=crypt.get("algo"),
-                    crypt_param=crypt.get("param"),
-                    salt=crypt.get("salt"),
-                    hash=crypt.get("hash"),
-                    last_change=shent.get(2),
-                    min_age=shent.get(3),
-                    max_age=shent.get(4),
-                    warning_period=shent.get(5),
-                    inactivity_period=shent.get(6),
-                    expiration_date=shent.get(7),
-                    unused_field=shent.get(8),
-                    _target=self.target,
-                )
+        """Yield shadow records from /etc/shadow files.
+
+        Resources:
+            - https://manpages.ubuntu.com/manpages/oracular/en/man5/passwd.5.html#file:/etc/shadow
+        """
+
+        seen_hashes = set()
+
+        for shadow_file in self.SHADOW_FILES:
+            if (path := self.target.fs.path(shadow_file)).exists():
+                for line in path.open("rt"):
+                    line = line.strip()
+                    if line == "" or line.startswith("#"):
+                        continue
+
+                    shent = dict(enumerate(line.split(":")))
+                    crypt = extract_crypt_details(shent)
+
+                    # do not return a shadow record if we have no hash
+                    if crypt.get("hash") is None or crypt.get("hash") == "":
+                        continue
+
+                    # prevent duplicate user hashes
+                    current_hash = (shent.get(0), crypt.get("hash"))
+                    if current_hash in seen_hashes:
+                        continue
+
+                    seen_hashes.add(current_hash)
+
+                    yield UnixShadowRecord(
+                        name=shent.get(0),
+                        crypt=shent.get(1),
+                        algorithm=crypt.get("algo"),
+                        crypt_param=crypt.get("param"),
+                        salt=crypt.get("salt"),
+                        hash=crypt.get("hash"),
+                        last_change=shent.get(2),
+                        min_age=shent.get(3),
+                        max_age=shent.get(4),
+                        warning_period=shent.get(5),
+                        inactivity_period=shent.get(6),
+                        expiration_date=shent.get(7),
+                        unused_field=shent.get(8),
+                        _target=self.target,
+                    )
 
 
 def extract_crypt_details(shent: dict) -> dict:

dissect/target/plugins/os/windows/_os.py

@@ -79,15 +79,15 @@ class WindowsPlugin(OSPlugin):
             self.target.log.debug("", exc_info=e)
 
         sysvol_drive = self.target.fs.mounts.get("sysvol")
-        # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter
-        if sysvol_drive and operator.countOf(self.target.fs.mounts.values(), sysvol_drive) == 1:
+        if not sysvol_drive:
+            self.target.log.warning("No sysvol drive found")
+        elif operator.countOf(self.target.fs.mounts.values(), sysvol_drive) == 1:
+            # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter
             if "c:" not in self.target.fs.mounts:
                 self.target.log.debug("Unable to determine drive letter of sysvol, falling back to C:")
                 self.target.fs.mount("c:", sysvol_drive)
             else:
                 self.target.log.warning("Unknown drive letter for sysvol")
-        else:
-            self.target.log.warning("No sysvol drive found")
 
     @export(property=True)
     def hostname(self) -> Optional[str]:

dissect/target/plugins/os/windows/adpolicy.py

@@ -69,7 +69,10 @@ class ADPolicyPlugin(Plugin):
                 xml = task_file.read_text()
                 tree = ElementTree.fromstring(xml)
                 for task in tree.findall(".//{*}Task"):
-                    properties = task.find("Properties") or task
+                    # https://github.com/python/cpython/issues/83122
+                    if (properties := task.find("Properties")) is None:
+                        properties = task
+
                     task_data = ElementTree.tostring(task)
                     yield ADPolicyRecord(
                         last_modification_time=task_file_stat.st_mtime,

dissect/target/plugins/os/windows/catroot.py

@@ -5,6 +5,7 @@ from flow.record.fieldtypes import digest
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.helpers.utils import findall
 from dissect.target.plugin import Plugin, export
 
 try:
@@ -36,17 +37,6 @@ CatrootRecord = TargetRecordDescriptor(
 )
 
 
-def findall(buf: bytes, needle: bytes) -> Iterator[int]:
-    offset = 0
-    while True:
-        offset = buf.find(needle, offset)
-        if offset == -1:
-            break
-
-        yield offset
-        offset += 1
-
-
 def _get_package_name(sequence: Sequence) -> str:
     """Parse sequences within a sequence and return the 'PackageName' value if it exists."""
     for value in sequence.native.values():

dissect/target/plugins/os/windows/credential/lsa.py

@@ -0,0 +1,174 @@
+from __future__ import annotations
+
+import hashlib
+from functools import cached_property
+from typing import Iterator
+
+from dissect.target.exceptions import RegistryKeyNotFoundError, UnsupportedPluginError
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+
+try:
+    from Crypto.Cipher import AES, ARC4, DES
+
+    HAS_CRYPTO = True
+except ImportError:
+    HAS_CRYPTO = False
+
+
+LSASecretRecord = TargetRecordDescriptor(
+    "windows/credential/lsa",
+    [
+        ("datetime", "ts"),
+        ("string", "name"),
+        ("string", "value"),
+    ],
+)
+
+
+class LSAPlugin(Plugin):
+    """Windows Local Security Authority (LSA) plugin.
+
+    Resources:
+        - https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication
+        - https://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html (Windows XP)
+        - https://github.com/fortra/impacket/blob/master/impacket/examples/secretsdump.py
+    """
+
+    __namespace__ = "lsa"
+
+    SECURITY_POLICY_KEY = "HKEY_LOCAL_MACHINE\\SECURITY\\Policy"
+    SYSTEM_KEY = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA"
+
+    def check_compatible(self) -> None:
+        if not HAS_CRYPTO:
+            raise UnsupportedPluginError("Missing pycryptodome dependency")
+
+        if not self.target.has_function("registry") or not list(self.target.registry.keys(self.SYSTEM_KEY)):
+            raise UnsupportedPluginError("Registry key not found: %s", self.SYSTEM_KEY)
+
+    @cached_property
+    def syskey(self) -> bytes:
+        """Return byte value of Windows system SYSKEY, also called BootKey."""
+        lsa = self.target.registry.key(self.SYSTEM_KEY)
+        syskey_keys = ["JD", "Skew1", "GBG", "Data"]
+        # This magic value rotates the order of the data
+        alterator = [0x8, 0x5, 0x4, 0x2, 0xB, 0x9, 0xD, 0x3, 0x0, 0x6, 0x1, 0xC, 0xE, 0xA, 0xF, 0x7]
+
+        r = bytes.fromhex("".join([lsa.subkey(key).class_name for key in syskey_keys]))
+        return bytes(r[i] for i in alterator)
+
+    @cached_property
+    def lsakey(self) -> bytes:
+        """Decrypt and return the LSA key of the Windows system."""
+        security_pol = self.target.registry.key(self.SECURITY_POLICY_KEY)
+
+        try:
+            # Windows Vista or newer
+            enc_key = security_pol.subkey("PolEKList").value("(Default)").value
+            lsa_key = _decrypt_aes(enc_key, self.syskey)
+            return lsa_key[68:100]
+        except RegistryKeyNotFoundError:
+            pass
+
+        try:
+            # Windows XP
+            enc_key = security_pol.subkey("PolSecretEncryptionKey").value("(Default)").value
+            lsa_key = _decrypt_rc4(enc_key, self.syskey)
+            return lsa_key[16:32]
+        except RegistryKeyNotFoundError:
+            pass
+
+        raise ValueError("Unable to determine LSA policy key location in registry")
+
+    @cached_property
+    def _secrets(self) -> dict[str, bytes] | None:
+        """Return dict of Windows system decrypted LSA secrets."""
+        if not self.target.ntversion:
+            raise ValueError("Unable to determine Windows NT version")
+
+        result = {}
+        for subkey in self.target.registry.key(self.SECURITY_POLICY_KEY).subkey("Secrets").subkeys():
+            enc_data = subkey.subkey("CurrVal").value("(Default)").value
+
+            # Windows Vista or newer
+            if float(self.target.ntversion) >= 6.0:
+                secret = _decrypt_aes(enc_data, self.lsakey)
+
+            # Windows XP
+            else:
+                secret = _decrypt_des(enc_data, self.lsakey)
+
+            result[subkey.name] = secret
+
+        return result
+
+    @export(record=LSASecretRecord)
+    def secrets(self) -> Iterator[LSASecretRecord]:
+        """Yield decrypted LSA secrets from a Windows target."""
+        for key, value in self._secrets.items():
+            yield LSASecretRecord(
+                ts=self.target.registry.key(f"{self.SECURITY_POLICY_KEY}\\Secrets\\{key}").ts,
+                name=key,
+                value=value.hex(),
+                _target=self.target,
+            )
+
+
+def _decrypt_aes(data: bytes, key: bytes) -> bytes:
+    ctx = hashlib.sha256()
+    ctx.update(key)
+    for _ in range(1, 1000 + 1):
+        ctx.update(data[28:60])
+
+    ciphertext = data[60:]
+    plaintext = []
+
+    for i in range(0, len(ciphertext), 16):
+        cipher = AES.new(ctx.digest(), AES.MODE_CBC, iv=b"\x00" * 16)
+        plaintext.append(cipher.decrypt(ciphertext[i : i + 16].ljust(16, b"\x00")))
+
+    return b"".join(plaintext)
+
+
+def _decrypt_rc4(data: bytes, key: bytes) -> bytes:
+    md5 = hashlib.md5()
+    md5.update(key)
+    for _ in range(1000):
+        md5.update(data[60:76])
+    rc4_key = md5.digest()
+
+    cipher = ARC4.new(rc4_key)
+    return cipher.decrypt(data[12:60])
+
+
+def _decrypt_des(data: bytes, key: bytes) -> bytes:
+    plaintext = []
+
+    enc_size = int.from_bytes(data[:4], "little")
+    data = data[len(data) - enc_size :]
+
+    key0 = key
+    for _ in range(0, len(data), 8):
+        ciphertext = data[:8]
+        block_key = _transform_key(key0[:7])
+
+        cipher = DES.new(block_key, DES.MODE_ECB)
+        plaintext.append(cipher.decrypt(ciphertext))
+
+        key0 = key0[7:]
+        data = data[8:]
+
+        if len(key0) < 7:
+            key0 = key[len(key0) :]
+
+    return b"".join(plaintext)
+
+
+def _transform_key(key: bytes) -> bytes:
+    new_key = []
+    new_key.append(((key[0] >> 0x01) << 1) & 0xFE)
+    for i in range(0, 6):
+        new_key.append((((key[i] & ((1 << (i + 1)) - 1)) << (6 - i) | (key[i + 1] >> (i + 2))) << 1) & 0xFE)
+    new_key.append(((key[6] & 0x7F) << 1) & 0xFE)
+    return bytes(new_key)

dissect/target/plugins/os/windows/{sam.py → credential/sam.py}

@@ -210,7 +210,7 @@ struct SAM_HASH_AES {  /* size: >=24 */
 c_sam = cstruct().load(sam_def)
 
 SamRecord = TargetRecordDescriptor(
-    "windows/registry/sam",
+    "windows/credential/sam",
     [
         ("uint32", "rid"),
         ("string", "fullname"),
@@ -303,6 +303,9 @@ class SamPlugin(Plugin):
         if not HAS_CRYPTO:
             raise UnsupportedPluginError("Missing pycryptodome dependency")
 
+        if not self.target.has_function("lsa"):
+            raise UnsupportedPluginError("LSA plugin is required for SAM plugin")
+
         if not len(list(self.target.registry.keys(self.SAM_KEY))) > 0:
             raise UnsupportedPluginError(f"Registry key not found: {self.SAM_KEY}")
 
@@ -374,7 +377,7 @@ class SamPlugin(Plugin):
             nt (string): Parsed NT-hash.
         """
 
-        syskey = self.target.dpapi.syskey  # aka. bootkey
+        syskey = self.target.lsa.syskey  # aka. bootkey
         samkey = self.calculate_samkey(syskey)  # aka. hashed bootkey or hbootkey
 
         almpassword = b"LMPASSWORD\0"

dissect/target/plugins/os/windows/defender.py

@@ -7,7 +7,7 @@ from pathlib import Path
 from typing import Any, BinaryIO, Generator, Iterable, Iterator, TextIO, Union
 
 import dissect.util.ts as ts
-from dissect.cstruct import Structure, cstruct
+from dissect.cstruct import cstruct
 from flow.record import Record
 
 from dissect.target import plugin
@@ -357,7 +357,7 @@ class QuarantineEntry:
         resource_info = c_defender.QuarantineEntrySection2(resource_buf)
 
         # List holding all quarantine entry resources that belong to this quarantine entry.
-        self.resources = []
+        self.resources: list[QuarantineEntryResource] = []
 
         for offset in resource_info.EntryOffsets:
             resource_buf.seek(offset)
@@ -393,7 +393,7 @@ class QuarantineEntryResource:
             # Move pointer
             offset += 4 + field.Size
 
-    def _add_field(self, field: Structure):
+    def _add_field(self, field: c_defender.QuarantineEntryResourceField) -> None:
         if field.Identifier == FIELD_IDENTIFIER.CQuaResDataID_File:
             self.resource_id = field.Data.hex().upper()
         elif field.Identifier == FIELD_IDENTIFIER.PhysicalPath:
@@ -627,6 +627,9 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
                 if suffix.search(mplog_line):
                     break
             match = pattern.match(block)
+            if not match:
+                return
+
             data = match.groupdict()
             data["_target"] = self.target
             data["source_log"] = source

dissect/target/plugins/os/windows/dpapi/blob.py

@@ -90,6 +90,9 @@ class Blob:
         if self.decrypted:
             return True
 
+        if not master_key:
+            raise ValueError("No master key provided to decrypt blob with")
+
         for algo in [crypt_session_key_type1, crypt_session_key_type2]:
             session_key = algo(
                 master_key,